ENH Refactor password reset to support SameSite=Strict

[Cheddam]

Description

Performing an immediate redirect on a request from an external website, such as a web-based email client, causes the new request to be treated as external, and when the session cookie is set to Samesite=Strict, this prevents the cookie from being sent by the browser, triggering a fresh session. This meant that the existing password reset mechanism would not function in this mode, as the AutoLoginHash was being stored in the session and immediately lost, triggering a redirect to the login form.

This change refactors the change password handler to instead push the AutoLoginHash value into the change password form as a hidden field, ensuring it can be read during submission.

It also includes broader test coverage of the change password handler, though this remains incomplete due to time constraints.

Manual testing steps

Enable SameSite=Strict on session cookies:

SilverStripe\Control\Session:
  cookie_samesite: 'Strict'

Issues

• Password reset links break when SameSite Strict is applied to sessions #11565

Pull request checklist

• The target branch is correct
  • See picking the right version
• All commits are relevant to the purpose of the PR (e.g. no debug statements, unrelated refactoring, or arbitrary linting)
  • Small amounts of additional linting are usually okay, but if it makes it hard to concentrate on the relevant changes, ask for the unrelated changes to be reverted, and submitted as a separate PR.
• The commit messages follow our commit message guidelines
• The PR follows our contribution guidelines
• Code changes follow our coding conventions
• This change is covered with tests (or tests aren't necessary for this change)
• Any relevant User Help/Developer documentation is updated; for impactful changes, information is added to the changelog for the intended release
• CI is green